Transformation from e-voting to e-cheque

Although e-voting scheme and e-cheque scheme are two different applications, they have similarities in the scheme definitions and security properties. This inspires us to establish a relationship between the two schemes by formalising a generic transformation from e-voting to e-cheque scheme. Firstly, we define the scheme definitions and security models for both e-voting scheme and e-cheque scheme. Subsequently, we demonstrate a generic transformation framework from e-voting to e-cheque with asymptotic complexity of O(n) and design a formal proof to show that a secure e-voting scheme can be transformed into a secure e-cheque scheme. As a proof of concept, we apply our newly proposed transformation technique to the e-voting scheme proposed by Li et al. and obtain a concrete e-cheque scheme.


Introduction
There are many studies of electronic systems (e-systems) in the literature such as e-voting [1][2][3][4] and e-cheque [5][6][7][8].Chaum in 1981 first introduced the concept of e-voting scheme [9] that serves as a platform that permits an individual to collaboratively make a decision or to choose a representative through online means while Chaum et al. in 1988 [10] first introduced the concept of e-cheque scheme in which e-cheque is a digital analogy to a paper cheque.Even though these systems may seem very different in their respective applications, they share similarities in their scheme definitions and security properties which lead to the possibility of establishing a generic transformation framework, that is we can derive one scheme from another scheme.However, the research communities are disjointed [11] and to the best of our knowledge, there is no transformation frameworks between e-voting and e-cheque have been explored.The beauty of transformation is that we do not need to build the entire scheme from scratch, and a transformed scheme inherits the security guarantee from the original scheme.

Related work
e-Auction was first proposed by Franklin and Reiter in 1996 [12].In an e-auction, the auctioneer can place products or services on the website for auction and the bidder can bid for their desired products or services on the bidding website.The bidder with the highest bid wins the game.McCarthy et al. [13] and Quaglia and Smyth [14] presented some transformations from e-voting to e-auction subsequently.More specifically, McCarthy et al. [13] proposed two specific transformations from e-voting to e-auction, namely, from Helios e-voting to Hawk eauction scheme and from Civitas e-voting to Aucitas e-auction.McCarthy et al. [13] claimed that the Hawk e-auction satisfied indistinguishability under chosen-plaintext attack (IND-CPA) while the Aucitas e-auction satisfied collusion resistance without providing security proofs [14].Quaglia and Smyth [14] proposed a generic transformation framework from e-voting to a secret, verifiable e-auction.Quaglia and Smyth [14] revised the proposed scheme of McCarthy et al. [13] by providing strong theoretical foundation where the scheme satisfied correctness, injectivity, completeness, verifiability and bid secrecy.Yeow et al. [15] presented a generic transformation framework from e-auction to e-cheque.Their proposed transformation framework satisfied existential unforgeability under chosen account attack (EUF-CAA), payer anonymity under chosen account attack (PA-CAA), and indistinguishability under chosen cheque attack (IND-CCeA).We observed that since e-voting can be transformed into eauction and e-auction can be transformed into e-cheque as shown in Fig 1 .To the best of our knowledge, there is no direct transformation from e-voting to e-cheque has been proposed in the literature.Hence, it would be natural to explore the possibility of direct transformation between e-voting and e-cheque as the two schemes possess high similarities in terms of scheme definitions and security properties.In this work, we demonstrate that the disjoint research fields of e-voting and e-cheque are related.Our work unifies e-voting and e-cheque, and thus expedite the development of both fields.Particularly, a secure e-cheque scheme can now be directly derived from an e-voting scheme without first transforming the e-voting to an e-auction and then only transforming the e-auction to an e-cheque.
While Quaglia and Smyth [14] proposed a generic transformation framework from e-voting to e-auction with asymptotic complexity of OðnÞ, Yeow et al. [15] presented a generic transformation framework from e-auction to e-cheque with asymptotic complexity of OðnÞ.Therefore, using current transformation frameworks to obtain e-cheque from e-voting scheme required first transforming the e-voting to an e-auction and then only transforming the e- auction to an e-cheque, thus required 2OðnÞ as shown in Table 1.We propose a direct transformation from e-voting to e-cheque which only required the complexity of OðnÞ.

Our contribution
In this paper, we first review the scheme definitions of e-voting and e-cheque, followed by their security models respectively.While a rigorous security model for e-cheque schemes has been established [15], it is not the case for e-voting schemes.Therefore, we define some important security properties for e-voting, namely, confidentiality, anonymity, and unforgeability that are required to perform the transformation before presenting the generic transformation from e-voting to e-cheque.With that, we can support the proposed transformation with rigorous security proofs which shows that if the underlying e-voting scheme fulfills confidentiality, anonymity, and unforgeability, then the transformed e-cheque scheme is also fulfills confidentiality, anonymity, and unforgeability.Finally, we demonstrate this established transformation framework by providing an instance in which we exhibit how to derive an e-cheque scheme by employing the e-voting scheme proposed by Li et al. [16] as the underlying scheme.

e-voting
Since the existing definitions for e-voting schemes are more specific based on the respective constructions, we make an effort to provide a more general definition which applies to all construction.
The e-voting scheme consists of three algorithms: • Register (1 k ) ! {(pk T , sk T ), (pk V , sk V )}: This algorithm is executed by a trusted third party (TTP).It takes the security parameters 1 k as the input and outputs a pair of public and private keys for the tallier (pk T , sk T ) and the voter (pk V , sk V ).
• Vote (pk T , sk V , v) !(Bal): This algorithm is executed by the voter.It takes the tallier's public key pk T , the voter's private key sk V , and the voter's choice of candidates (v) as input and outputs ballot (Bal).The voter submits Bal to the tallier to cast a vote.
• Tally (sk T , pk V , Bal) !(Result V ): This algorithm is executed by the tallier.The tallier takes the tallier's private key sk T , the voter's public key pk V , and the ballot Bal as input, verifies if the Bal is valid then computes the tally result (Result V ) of the valid Bal.

e-cheque
The e-cheque scheme consists of three algorithms [15]: • Register (1 k ) ! {(pk B , sk B ), (pk P , sk P )}: This algorithm is executed by a trusted third party (TTP).It takes the security parameters 1 k as input and outputs a pair of public and private keys for the bank (pk B , sk B ) and the payer (pk P , sk P ).• Write (pk B , sk P , M) !(ϑ): This algorithm is executed by the payer.It takes the bank's public key pk B , the payer's private key sk P , and M where M = (I, $), I is the account information and $ is the amount as input and outputs a concealed cheque (ϑ).The payer submits ϑ to the bank system.
• Transfer (sk B , pk P , ϑ) !(Result T ): This algorithm is executed by the bank.The bank takes its own private key sk B , payer's public key pk P , and a concealed cheque ϑ as input and verifies if the ϑ is valid then the bank processes the transaction (Result T ) according to the M embedded in valid ϑ.
3 Security model

Security requirements for e-voting
1. Confidentiality.According to Bernhard et al. [17], confidentiality and privacy are synonymous in most security applications.In an e-voting scheme, privacy means the cast votes are anonymous to any party except when the election result reveals the vote [18].We define for the first time the following game as indistinguishability under chosen ballot attack (IND-CBAA).We define the game between the Adversary and Challenger as follows.
• Registration phase: The Challenger provides the system parameters to the Adversary.
Anonymity.According to Zaghloul et al. [1], anonymity in an e-voting scheme means the identity of the voter remains anonymous.We define for the first time the following game as indistinguishability under chosen voter's vote attack (IND-CVA).We define the game between the Adversary and Challenger as follows.
• Registration phase: The Challenger provides the system parameters to the Adversary.
• Training phase: The Adversary can query v i to the Vote oracle and get a ballot Bal i in return where i is the number of iterations run by the Adversary.The Adversary can verify Bal i by issuing Bal i to the Tally oracle.The Tally oracle will reply tally result to the Adversary, the Adversary extracts the validity result either valid or invalid from the tally result.
• Identifying phase: The Adversary chooses v* and sends it to the Challenger.The Challenger returns Bal b where b 2 {0, 1} and one of them is generated by using v*.The Adversary makes a guess b 0 = {0, 1} and wins the game if b 0 = b.

Definition 2 (IND-CVA). An e-voting scheme is (ε, t)-indistinguishable under chosen voter's vote attack (IND-CVA) if no probabilistic polynomial time Adversary A can win the game above in time t, Adversaries advantage ε, and
3. Unforgeability.According to Li and Lai [19], unforgeability in an e-voting scheme means it is infeasible to forge a valid ballot for another voter.We define for the first time the following game as existential unforgeability under chosen vote attack (EUF-CVA).We define the game between the Adversary and Challenger as follows.
• Registration phase: The Challenger provides the system parameters to the Adversary.
• Training phase: The Adversary can query v i to the Vote oracle and get a ballot Bal i in return where i is the number of iterations run by the Adversary.The Adversary can verify Bal i by issuing Bal i to the Tally oracle.The Tally oracle will reply tally result to the Adversary, the Adversary extracts the validity result either valid or invalid from the tally result.
• Forging phase: The Adversary chooses v* and forges Bal*.If the Bal* is a valid ballot, the Adversary wins the game.

Security requirements of e-cheque
1. Confidentiality.According to Yeow et al. [15], confidentiality in the e-cheque scheme means the invalid and unused e-cheques are anonymous to any party.The following game is the indistinguishability under chosen cheque attack (IND-CCEA) security notion for an e-cheque scheme.The security model proposed by Yeow et al. [15] is as follows.
• Registration phase: The Challenger provides the system parameters to the Adversary.
• Training phase: The Adversary can query M i to the Write oracle and get a cheque ϑ i in return where i is the number of iterations the Adversary runs.The Adversary can verify ϑ i by issuing ϑ i to the Transfer oracle.The Transfer oracle will reply transaction result to the Adversary, the Adversary extracts the validity result either valid or invalid from the transaction result.
• Identifying phase: The Adversary chooses M 0 and M 1 and sends both to the Challenger.
Anonymity.According to Yeow et al. [15], anonymity in the e-cheque scheme means the identity of the payer remains secret from others except for the bank.The following game is the indistinguishability under chosen cheque's information attack (IND-CIA) security notion for an e-cheque scheme.The security model proposed by Yeow et al. [15] is as follows.
• Registration phase: The Challenger provides the system parameters to the Adversary.
• Training phase: The Adversary can query M i to the Write oracle and get a cheque ϑ i in return where i is the number of iterations the Adversary runs.The Adversary can verify ϑ i by issuing ϑ i to the Transfer oracle.The Transfer oracle will reply transaction result to the Adversary, the Adversary extracts the validity result either valid or invalid from the transaction result.
Unforgeability.According to Yeow et al. [15], unforgeability in an e-cheque scheme means it is infeasible to forge a valid signed e-cheque of another user.The following game is the existential unforgeability under chosen cheque's information attack (EUF-CIA) security notion for an e-cheque scheme.The security model proposed by Yeow et al. [15] is as follows.
• Registration phase: The Challenger provides the system parameters to the Adversary.

Transformation
We now present a generic transformation from e-voting scheme to an e-cheque scheme.We first explain the entities and associated information at below: • Tallier in e-voting scheme plays the role as the bank in e-cheque scheme.
• Voter in e-voting scheme plays the role as the payer in e-cheque scheme.
• Candidate in e-voting scheme plays the role as the payee in e-cheque scheme.
• Ballot in e-voting scheme is viewed as the cheque in e-cheque scheme.
• Vote in e-voting scheme is viewed as the account information and amount in e-cheque scheme.
• Write (pk B , sk P , M) !ϑ.A payee runs the voting algorithm of e-voting Vote (pk T , sk V , v) !Bal, where pk T = pk B , sk V = sk P , v = M, and the output Bal = ϑ.
• Transfer (sk B , pk P , ϑ) !Result T .The bank runs the tally algorithm of the e-voting Tally (sk T , pk V , Bal) !Result V , where sk T = sk B , pk V = pk P , Bal = ϑ, and the verification result of the e-voting Result V = the verification result of the e-cheque Result T We note that there exists an implementation process to which we may need to pay more attention.More specifically, a bulletin board is required in an e-voting scheme but it is not required in an e-cheque scheme.Therefore, we propose to treat the bulletin board in the e-voting scheme as a platform in the banking system to verify the status of the cheque transaction process, which somehow seems natural.
We also noticed that the transformation from e-cheque to e-voting cannot be performed directly due to the security requirements for e-voting are more stringent than e-cheque.In precise, an e-voting scheme requires receipt-freeness, where the voter cannot attain any information that can be used to prove how he voted for any party.It also demands coercion-resistance, where the coercers cannot insist that voters vote in a certain way and the voter cannot prove his vote to the information buyer [20].On the contrary, e-cheque scheme does not require these properties.Nevertheless, extensive studies are required to affirm if such a transformation is possible.

Security analysis
We provide the security analysis to show that the transformed e-cheque scheme fulfils the respective security requirements which follow directly from those of the underlying e-voting scheme.Theorem 1, Theorem 2, and Theorem 3 present respectively the security analysis of confidentiality, anonymity and unforgeability of the transformed e-cheque scheme from e-voting scheme.

Confidentiality
Theorem 1.Let e-voting = {Register, Vote, Tally} be the secure e-voting scheme and let e-cheque = {Register, Write, Transfer} be the transformed e-cheque scheme.If the underlying e-voting scheme is (t, q v , ε)-secure against indistinguishability under chosen ballot attack (IND-CBAA), then the transformed e-cheque scheme is (t 0 , q w , ε 0 )-secure against indistinguishability under chosen cheque attack (IND-CCEA), where q w , q v are the total write and vote query, respectively, and n is a negligible function parameterised by the security parameter k.Proof.Suppose that A 2 is an Adversary who (t 0 , q w , ε 0 )-breaks the IND-CCEA of e-cheque scheme.We show that e-voting scheme is not (t, q v , ε)-secure.Hence, we show how A 1 can use A 2 to (t, q v , ε)-break the IND-CBAA of e-voting scheme.A 1 runs A 2 as a subroutine and simulates its attack environment.Fig 2 shows the simulated Adversary game and the environment between A 1 and A 2 .
The Challenger passes Params to A 1 .A 1 passes Params to A 2 and completed the Register phase.In the Training phase, A 2 issues M as a write query to A 1 .A 1 sets v = M and inputs v to Vote oracle using vote query to produce Bal.A 1 sets ϑ = Bal, A 1 returns ϑ to A 2 .A 2 issues ϑ as a transfer query to A 1 .A 1 sets Bal = ϑ and inputs Bal to Tally oracle to verify if Bal is valid.The Tally oracle returns the tally result to A 1 , A 1 extracts the validity result from the tally result and returns the validity result either valid or invalid to A 2 .
At some point, A 2 decides that the Training phase is over and starts the Identifying phase.A 2 chooses M 0 and M 1 .A 2 passes M 0 and M 1 to As A 1 simulates the environment perfectly, we have ε = ε 0 and t = t 0 as required where A 1 runs in time t while A 2 runs in time t 0 .

Anonymity
Theorem 2. Let e-voting = {Register, Vote, Tally} be the secure e-voting scheme and let e-cheque = {Register, Write, Transfer} be the transformed e-cheque scheme.If the underlying e-voting scheme is (t, q v , ε)-secure against indistinguishability under chosen voter's vote attack (IND-CVA), then the transformed e-cheque scheme is (t 0 , q w , ε 0 )-secure against indistinguishability under chosen cheque's information attack (IND-CIA), where q w , q v is the total write and vote query, respectively, and n is a negligible function parameterised by the security parameter k.Proof.Suppose that A 2 is an Adversary who (t 0 , q w , ε 0 )-breaks the IND-CIA of e-cheque scheme.We show that e-voting scheme is not (t, q v , ε)-secure.Hence, we show how A 1 can use A 2 to (t, q v , ε)-break the IND-CVA of e-voting scheme.A 1 runs A 2 as a subroutine and simulates its attack environment.As A 1 simulates the environment perfectly, we have ε = ε 0 and t = t 0 as required where A 1 runs in time t while A 2 runs in time t 0 .

Unforgeability
Theorem 3. Let e-voting = {Register, Vote, Tally} be the secure e-voting scheme and let e-cheque = {Register, Write, Transfer} be the transformed e-cheque scheme.If the underlying e-voting scheme is (t, q v , ε)-secure against existential unforgeable under chosen vote attack (EUF-CVA), then the transformed e-cheque scheme is (t 0 , q w , ε 0 )-secure against existential unforgeability under chosen cheque's information attack (EUF-CIA), where t ¼ t 0 ; q v ¼ q w ; ε ¼ ε 0 � nðkÞ ð3Þ q w , q v is the total write and vote query, respectively, and n is a negligible function parameterised by the security parameter k.Proof.Suppose that A 2 is an Adversary who (t 0 , q w , ε 0 )-breaks the EUF-CIA of e-cheque scheme.We show that e-voting scheme is not (t, q v , ε)-secure.Hence, we show how A 1 can use A 2 to (t, q v , ε)-break the EUF-CVA of e-voting scheme.A 1 runs A 2 as a subroutine and simulates its attack environment.Fig 4 shows the simulated adversarial game and environment between A 1 and A 2 .
The Challenger passes Params to A 1 .A 1 passes Params to A 2 and completed the Register phase.In the Training phase, A 2 issues M as a write query to A 1 .A 1 sets v = M and inputs v to Vote oracle using vote query to produce Bal.A 1 sets ϑ = Bal, A 1 returns ϑ to A 2 .A 2 issues ϑ as a transfer query to A 1 .A 1 sets Bal = ϑ and inputs Bal to Tally oracle to verify if Bal is valid.The Tally oracle returns the tally result to A 1 , A 1 extracts the validity result from the tally result and returns the validity result either valid or invalid to A 2 .
At some point, A 2 decides that the Training phase is over and starts the Forging phase.With a probability ε 0 � nðkÞ, A 2 outputs a guess ϑ* to A 1 .A 1 uses A 2 's answer as its guess.Since ϑ* is valid, then Bal* is valid, A 1 thus breaks EUF-CVA security.
As A 1 simulates the environment perfectly, we have ε = ε 0 and t = t 0 as required where A 1 runs in time t while A 2 runs in time t 0 .

An instance
Li et al. [16] proposed an anonymous authentication scheme, namely, event-oriented linkable and traceable anonymous authentication (EOLTAA) and utilised the EOLTAA scheme with public key encryption scheme that is semantically secure to construct a blockchain e-voting scheme.We provide a review of the underlying PKE, EOLTAA and the scheme definitions of Li et al.'s e-voting scheme.We then formally prove that their proposed e-voting scheme possesses confidentiality, anonymity, and unforgeability.Lastly, we perform a transformation from Li et al.'s e-voting scheme to an e-cheque scheme as an instance.

Underlying cryptographic tools
We review the public key encryption scheme and event-oriented linkable and traceable anonymous authentication scheme as follows.
• Public Key Encryption (PKE) Scheme [21].A PKE scheme consists of three algorithms: • E.KeyGen (1 λ ) ! (pk e , sk e ).This algorithm takes security parameter (1 λ ) as the input and outputs a pair of public and private key for the user (pk e , sk e ).
• E.Encrypt (m, pk e ) ! C.This algorithm takes a message m and a public key (pk e ) as input and outputs a ciphertext C.
• E.Decrypt (C, sk e ) ! m.This algorithm takes a ciphertext C and a private key sk e as input and outputs the message m.
• UKeyGen (1 λ ) ! (usk, upk).The user key generation algorithm takes a security parameter (λ) as input and outputs a secret key (usk) and a public key (upk).Proof.Suppose that A 2 is an Adversary who (t 0 , q v , ε 0 )-breaks the IND-CBAA of e-voting scheme and A 1 = A PKE is the Adversary which (t, q a , ε)-breaks the IND-CCA of the AUTHPKE scheme.We show that AUTHPKE scheme is not (t, q a , ε)-secure.Hence, we show how A 1 can use A 2 to (t, q a , ε)-break the IND-CCA of AUTHPKE scheme.A 1 runs A 2 as a subroutine and simulates its attack environment.
The AUTHPKE Challenger passes Params, public key upk, private key usk, and certificate Cert to A 1 where the upk, usk, and Cert are from the EOLTAA scheme.We let A 1 possesses the (upk, usk, Cert) of the EOLTAA scheme so that it can simulate the Vote oracle and Tally oracle for A 2 .Note that, even though A 1 possesses (upk, usk, Cert) of the EOLTAA scheme it does not help A 1 in breaking the IND-CCA security.A 1 passes Params to A 2 and completed the Register phase.
In the Training phase, A 2 issues v as a vote query to A 1 which is the Vote oracle from A 2 's view.A 1 sets m = v and encrypts m to produce C.Then, A 1 generates π on C and returns Bal = {C, π} = α to A 2 .A 2 issues Bal as a tally query to A 1 .A 1 sets α = Bal and uses its Decrypt oracle to simulate Tally oracle for A 2 , that is, A 1 issues α to Decrypt oracle to verify if α is valid.The Decrypt oracle returns the decryption result to A 1 , A 1 extracts the validity result from the decryption result and returns the validity result either valid or invalid to A 2 .
At some point, A 2 decides that the Training phase is over and starts the Identifying phase.A 2 chooses v 0 and v 1 as the challenge and passes v 0 and v 1 to As A 1 simulates the environment perfectly, we have ε = ε 0 and t = t 0 as required where A 1 runs in time t while A 2 runs in time t 0 .6.4.2Anonymity.Theorem 5. Let AUTHPKE = {Register, Authentication, Verification} be the secure event-oriented linkable and traceable anonymous authentication scheme and public key encryption scheme and let e-voting = {Register, Vote, Tally} be the secure e-voting scheme.If the underlying AUTHPKE is (t, q a , ε)-anonymous, then the e-voting scheme is (t 0 , q v , ε 0 )-secure against indistinguishability under chosen voter's vote attack (IND-CVA), where q v is the vote query, q a is the authentication query, ε is the non-negligible advantage to break the anonymity in AUTHPKE, ε 0 is the non-negligible advantage to break the IND-CVA in e-voting, n is a negligible function parameterised by the security parameter k, and t is the time required to complete the attack.Proof.Suppose that A 2 is an Adversary who (t 0 , q v , ε 0 )-breaks the IND-CVA of e-voting scheme and A 1 = A AUTH where A AUTH is the Adversary who (t, q a , ε)-breaks the anonymity of the AUTHPKE scheme.We show that AUTHPKE scheme is not (t, q a , ε)-secure.Hence, we show how A 1 can use A 2 to (t, q a , ε)-break the anonymity of AUTHPKE scheme.A 1 runs A 2 as a subroutine and simulates its attack environment.
The AUTHPKE Challenger passes Params and public, private key (pk e , sk e ) to A 1 where the (pk e , sk e ) are from the PKE scheme.We let A 1 possesses the public key and private key (pk e , sk e ) of the PKE scheme so that it can simulate the Vote oracle and Tally oracle for A 2 .Note that, even though A 1 possesses (pk e , sk e ) of the PKE scheme it does not help A 1 in breaking the anonymity security.A 1 passes Params to A 2 and completed the Register phase.
In the Training phase, A 2 issues v as a vote query to A 1 which is the Vote oracle from A 2 's view.A 1 sets m = v and encrypts m to produce C.Then, A 1 generates π on C and returns Bal = {C, π} = α to A 2 .A 2 issues Bal as a tally query to A 1 .A 1 sets α = Bal and uses its Decrypt oracle to simulate Tally oracle for A 2 , that is, A 1 issues α to Decrypt oracle to verify if α is valid.The Decrypt oracle returns decryption result to A 1 , A 1 extracts the validity result from the decryption result and returns the validity result either valid or invalid to A 2 .
At some point, A 2 decides that the Training phase is over and starts the Identifying phase.As A 1 simulates the environment perfectly, we have ε = ε 0 and t = t 0 as required where A 1 runs in time t while A 2 runs in time t 0 .6.4.3Unforgeability.Theorem 6.Let AUTHPKE = {Register, Authentication, Verifica-tion} be the secure event-oriented linkable and traceable anonymous authentication scheme and public key encryption scheme and let e-voting = {Register, Vote, Tally} be the secure e-voting scheme.If the underlying AUTHPKE is (t, q a , ε)-unforgeable, then the e-voting scheme is (t 0 , q v , ε 0 )-secure against existential unforgeable under chosen vote attack (EUF-CVA), where q v is the vote query, q a is the authentication query, ε is the non-negligible advantage to break the unforgeability in AUTHPKE, ε 0 is the non-negligible advantage to break the EUF-CVA in e-voting, n is a negligible function parameterised by the security parameter k, and t is the time required to complete the attack.Proof.Suppose that A 2 is an Adversary who (t 0 , q v , ε 0 )-breaks the EUF-CVA of e-voting scheme and A 1 = A AUTH where A AUTH is the Adversary who (t, q a , ε)-breaks the unforgeability of AUTHPKE scheme.We show that AUTHPKE scheme is not (t, q a , ε)-secure.Hence, we show how A 1 can use A 2 to (t, q a , ε)-break the unforgeability of AUTHPKE scheme.A 1 runs A 2 as a subroutine and simulates its attack environment.
The AUTHPKE Challenger passes Params and public, private key (pk e , sk e ) to A 1 where the (pk e , sk e ) are from the PKE scheme.We let A 1 possesses the public key and private key (pk e , sk e ) of the PKE scheme so that it can simulate the Vote oracle and Tally oracle for A 2 .Note that, even though A 1 possesses (pk e , sk e ) of the PKE scheme it does not help A 1 in breaking the unforgeability security.A 1 passes Params to A 2 and completed the Register phase.
In the Training phase, A 2 issues v as a vote query to A 1 which is the Vote oracle from A 2 's view.A 1 sets m = v and encrypts m to produce C.Then, A 1 generates π on C and returns Bal = {C, π} = α to A 2 .A 2 issues Bal as a tally query to A 1 .A 1 sets α = Bal and uses its Decrypt oracle to simulate Tally oracle for A 2 , that is, A 1 issues α to Decrypt oracle to verify if α is valid.The Decrypt oracle returns the decryption result to A 1 , A 1 extracts the validity result from the decryption result and returns the validity result either valid or invalid to A 2 .
At some point, A 2 decides that the Training phase is over and starts the Forging phase.With a probability ε 0 � nðkÞ, A 2 outputs a guess Bal* to A 1 .A 1 uses A 2 's answer as its guess.Since Bal* is valid, then α* is valid, A 1 thus breaks unforgeability security.
As A 1 simulates the environment perfectly, we have ε = ε 0 and t = t 0 as required where A 1 runs in time t while A 2 runs in time t 0 .

Security of Li et al's transformed e-cheque scheme
We have shown that the e-voting scheme proposed by Li et al. [16] possesses confidentiality, anonymity, and unforgeability as proven in Theorem 4, Theorem 5, and Theorem 6 respectively.Therefore, it is obvious that following from Theorem 1, Theorem 2, and Theorem 3 respectively, the transformed e-cheque scheme also enjoys the corresponding security properties and fulfills the security requirements of an e-cheque scheme.

Discussion
Our e-voting to e-cheque transformation also benefits from Li et al.'s generic construction.Specifically, one can replace their authentication scheme F with other candidates yet our transformation would work as expected.However, we note that except anonymity, F should also satisfy linkability and traceability [16].Therefore, anonymous authentication schemes such as the password-authenticated key exchange protocols based on oblivious pseudorandom function [22] and multi-factor authentication protocol based on "Honeywords" and "Fuzzy-Verifier" [23,24] are not readily applicable.
It is also interesting to explore the reverse transformation, that is, from an e-cheque scheme to an e-voting scheme.From our transformation, we know that the tallier and voter in an evoting scheme is the bank and payer, respectively, in the resulting e-cheque scheme.While a voter needs to be anonymous to the tallier, a payer needs not be anonymous to the bank.In fact, Yeow et al. exploited this weaker anonymity requirement to instantiate an efficient e-cheque scheme from an e-auction scheme that does not protect the winning bidder's anonymity [15].Thus, we conjecture that to realise the reverse transformation, the underlying e-cheque scheme needs to possess an anonymity property that is stronger than IND-CIA.With that said, if there exists a generic approach to upgrade the IND-CIA security in an e-cheque scheme, e-voting schemes is equivalent to e-cheque schemes.We leave this as an open problem.

Conclusion
We presented a generic transformation from e-voting to e-cheque and showed that the transformed e-cheque scheme possesses the security properties of indistinguishability under chosen cheque attack (IND-CCEA), indistinguishability under chosen cheque's information attack (IND-CIA) and existential unforgeability under chosen cheque's information attack (EUF-CIA) if the underlying e-voting scheme is indistinguishability under chosen ballot attack (IND-CBAA), indistinguishability under chosen voter's vote attack (IND-CVA) and existential unforgeability under chosen vote attack (EUF-CVA) respectively.Finally, we demonstrated the newly proposed transformation by deriving a concrete e-cheque scheme from Li et al.'s evoting scheme as an instance.

v 1 to
Vote oracle to obtain Bal b .A 1 sets ϑ b = Bal b , A 1 delivers ϑ b as the problem in IND-CBAA as the challenge to A 2 .With a probability ε 0 � 1 2 þ nðkÞ, A 2 outputs a correct guess b 0 in return.A 1 uses A 2 's answer as its guess.Since b 0 = b, A 1 thus breaks IND-CBAA security.

Fig 2 .
Fig 2. Proof of contradiction-Confidentiality.https://doi.org/10.1371/journal.pone.0302659.g002 Fig 3 shows the simulated adversarial game and environment between A 1 and A 2 .The Challenger passes Params to A 1 .A 1 passes Params to A 2 and completed the Register phase.In the Training phase, A 2 issues M as a write query to A 1 .A 1 sets v = M and inputs v to Vote oracle using vote query to produce Bal.A 1 sets ϑ = Bal, A 1 returns ϑ to A 2 .A 2 issues ϑ as a transfer query to A 1 .A 1 sets Bal = ϑ and inputs Bal to Tally oracle to verify if Bal is valid.The Tally oracle returns the tally result to A 1 , A 1 extracts the validity result from the tally result and returns the validity result either valid or invalid to A 2 .At some point, A 2 decides that the Training phase is over and starts the Identifying phase.A 2 passes M* to A 1 .A 1 sets v* = M* and sends v* to Vote oracle to obtain Bal b where b 2 {0, 1} and one of them is generated by using v*.A 1 sets ϑ b = Bal b and returns ϑ b as the problem in IND-CVA as the challenge to A 2 .With a probability ε 0 � 1 2 þ nðkÞ, A 2 outputs a correct guess
A 2 passes v* as the challenge to A 1 .A 1 sets m* = v*, encrypts m* to obtain C b where b 2 {0, 1}.A 1 generates π b on C b .A 1 sets {C b , π b } = α b = Bal b .A 1 returns Bal b as the challenge to A 2 .With a probability ε 0 � 1 2 þ nðkÞ, A 2 outputs a correct guess Bal b in return.A 1 uses A 2 's answer as its guess.Since Bal b is valid, then α b is valid, thus A 1 breaks anonymity security.

•
Training phase: The Adversary can query v i to the Vote oracle and get a ballot Bal i in return where i is the number of iterations run by the Adversary.The Adversary can verify Bal i by issuing Bal i to the Tally oracle.The Tally oracle will reply tally result to the Adversary, the Adversary extracts the validity result either valid or invalid from the tally result.

•
Identifying phase: The Adversary chooses M* and sends it to the Challenger.The Challenger returns ϑ b where b 2 {0, 1} and one of them is generated by using M*.The Adversary makes a guess b 0 ¼ f0; 1g and wins the game if b 0 ¼ b.
Definition 5 (IND-CIA).An e-cheque scheme is (ε 0 , t)-indistinguishable under chosen cheque's information attack (IND-CIA) if no probabilistic polynomial time AdversaryA can win the game above in time t, Adversaries advantage ε, and Pr½b • Training phase: The Adversary can query M i to the Write oracle and get a cheque ϑ i in return where i is the number of iterations the Adversary runs.The Adversary can verify ϑ i by issuing ϑ i to the Transfer oracle.The Transfer oracle will reply transaction result to the Adversary, the Adversary extracts the validity result either valid or invalid from the transaction result.
• Forging phase: The Adversary chooses M* and forges ϑ*.If the ϑ* is a valid cheque, the Adversary wins the game.Definition 6 (EUF-CIA).An e-cheque scheme is (ε 0 , t)-existential unforgeable under chosen cheque's information attack (EUF-CIA) if no probabilistic polynomial time Adversary A can win the game above in time t, Adversaries advantage ε, and Pr½W * is valid� � ε 0 .